Transparent LAN Service Over Cable

Transparent LAN Service over Cable

This document describes the Transparent LAN Service (TLS) over Cable feature, which enhances existing Wide Area Network (WAN) support to provide more flexible Managed Access for multiple Internet service provider (ISP) support over a hybrid fiber-coaxial (HFC) cable network. This feature allows service providers to create a Layer 2 tunnel by mapping an upstream service identifier (SID) to an IEEE 802.1Q Virtual Local Area Network (VLAN).

Finding Feature Information Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/. An account on http:// www.cisco.com/ is not required.

Contents

• Hardware Compatibility Matrix for Cisco cBR Series Routers, page 2 • Prerequisites for Transparent LAN Service over Cable, page 2 • Restrictions for Transparent LAN Service over Cable, page 3 • Information About Transparent LAN Service over Cable, page 3 • How to Configure the Transparent LAN Service over Cable, page 6 • Configuration Examples for Transparent LAN Service over Cable, page 8 • Verifying the Transparent LAN Service over Cable Configuration, page 10 • Additional References, page 11 • Feature Information for Transparent LAN Service over Cable, page 12

Cisco Converged Broadband Routers Software Configuration Guide For DOCSIS 1 Transparent LAN Service over Cable Hardware Compatibility Matrix for Cisco cBR Series Routers

Hardware Compatibility Matrix for Cisco cBR Series Routers

Note The hardware components introduced in a given Cisco IOS-XE Release are supported in all subsequent releases unless otherwise specified.

Table 1: Hardware Compatibility Matrix for the Cisco cBR Series Routers

Cisco CMTS Platform Processor Engine Interface Cards Cisco cBR-8 Converged Cisco IOS-XE Release 3.15.0S Cisco IOS-XE Release 3.15.0S Broadband Router and Later Releases and Later Releases Cisco cBR-8 Supervisor: Cisco cBR-8 CCAP Line Cards: • PID—CBR-CCAP-SUP-160G • PID—CBR-LC-8D30-16U30 • PID—CBR-CCAP-SUP-60G1 • PID—CBR-LC-8D31-16U30 • PID—CBR-SUP-8X10G-PIC • PID—CBR-RF-PIC • PID—CBR-RF-PROT-PIC

Cisco cBR-8 Downstream PHY Modules: • PID—CBR-D30-DS-MOD • PID—CBR-D31-DS-MOD

Cisco cBR-8 Upstream PHY Modules: • PID—CBR-D30-US-MOD

1 Effective with Cisco IOS-XE Release 3.17.0S, CBR-CCAP-SUP-60G supports 8 cable line cards. The total traffic rate is limited to 60Gbps, the total number of downstream service flow is limited to 72268, and downstream unicast low-latency flow does not count against the limits.

Prerequisites for Transparent LAN Service over Cable

• You must know the hardware (MAC) addresses of the cable modems that are to be mapped to IEEE 802.1Q VLANs. • You must create a bridge group for each separate customer on the Layer 2 bridge aggregator, so that traffic from all of the Customer Premises Equipment (CPE) devices for the customer is grouped together into the same 802.1Q tunnel.

Cisco Converged Broadband Routers Software Configuration Guide For DOCSIS 2 Transparent LAN Service over Cable Restrictions for Transparent LAN Service over Cable

Restrictions for Transparent LAN Service over Cable

• Configuring 802.1Q for a particular cable modem removes any previous cable modem configuration on the router. • We strongly recommend that TLS over Cable only be used when Baseline Privacy Interface (BPI) is enabled in the environment. If BPI is not enabled when using the TLS feature, traffic can flow between multiple virtual private networks (VPNs), and become vulnerable to denial-of-service attacks or snooping. We also recommend that remote networks be isolated with a gateway or firewall router when BPI is not enabled.

When the TLS feature is used with Layer 2 VPNs, the participating cable modems must have the Baseline Privacy Interface security feature (BPI) enabled. Otherwise, the Cisco CMTS drops such Layer 2 traffic in the upstream or downstream. • Packets are mapped to their Layer 2 tunnel only on the basis of Layer 2 information (the cable modem’s MAC address and primary SID). Layer 3 services, such as access lists, IP address source-verify, and IP QoS, are not supported as packets are sent through the tunnel. • All traffic from a cable modem is mapped to the same Layer 2 tunnel. It is not possible to differentiate traffic from different customer premises equipment (CPE) devices behind the cable modem. • CPE learning is not available when using the Transparent LAN Service over Cable feature. When a cable modem is mapped to a Layer 2 tunnel, the show interface cable modem command shows that the IP addresses for its CPE devices are “unavailable.” • DOCSIS QoS is supported across the Layer 2 tunnel only on the primary SID. Traffic using secondary services uses the same Layer 2 tunnel as the primary SID. • The Spanning Tree Protocol (STP) cannot be used with devices (cable modems, their CPE devices, and the endpoint CPE devices) that are using this feature. In particular, Spanning Tree Protocol cannot be used between the VLAN bridge aggregator and the endpoint customer devices. • The following restrictions apply to Layer 2 tunnels over an Ethernet IEEE 802.1Q VLAN interface: ◦ IEEE 802.1Q tunnels are supported only on Ten Gigabit Ethernet interfaces. ◦ The Cisco CMTS router supports a maximum of 4095 VLAN IDs, but the switches acting as the bridge aggregator might support a lower number of VLAN IDs. If this is the case, the Cisco CMTS should be configured only for the maximum number of VLANs that are supported by the bridge aggregator switches.

Information About Transparent LAN Service over Cable This section contains the following:

Cisco Converged Broadband Routers Software Configuration Guide For DOCSIS 3 Transparent LAN Service over Cable Feature Overview

Feature Overview The Transparent LAN Service over Cable feature enables service providers to provide Layer 2 tunnels for traffic to and from cable modems. This allows customers to create their own virtual local area network (VLAN) using any number of cable modems in multiple sites. On the Cisco CMTS, you map each cable modem (on the basis of its MAC address) to the appropriate VLAN. The CMTS then creates an internal database of this one-to-one mapping of cable modems to VLANs, and uses it to encapsulate packets for the appropriate VLAN. The CMTS encapsulates the CPE traffic from mapped cable modems using the following method: • IEEE 802.1Q Mapping—The cable modem’s MAC address is mapped to an IEEE 802.1Q VLAN on a specific Ten Gigabit Ethernet interface, so that all traffic from the cable modem is tagged with the specified VLAN ID.

Traffic to and from this group of cable modems is bridged into a single logical network (the VLAN) by the bridge aggregator, creating a secure Virtual Private Network (VPN) for that particular group of cable modems. Traffic in one VLAN cannot be sent into another VLAN, unless specifically done so by an external router. The switch acting as the Layer 2 Bridge Aggregator uses the VLAN tagging to forward the traffic to the appropriate destination. This frees up service providers from needing to know the addressing, routing, and topological details of the customer’s network.

Transparent LAN Service and Layer 2 Virtual Private Networks In addition, service providers can provide a Layer 2 VPN with only minimal configuration changes on the provider’s routers. The service subscriber does not need to make any changes to their private network or cable modems, nor does the service provider have to provide any special DOCSIS configuration files to enable this feature. For the TLS feature with Layer 2 VPNs: • When the TLS feature is used with Layer 2 VPNs, the participating cable modems must have the Baseline Privacy Interface security feature (BPI) enabled. Otherwise, the Cisco CMTS drops such Layer 2 traffic in the upstream or downstream. • Information about Customer Premises Equipment (CPE) does not display in the output of the show cable modem command.

IEEE 802.1Q Mapping This section describes the mapping of cable modems to an IEEE 802.1Q VLAN, as it is available in the Transparent LAN Service over Cable feature:

Overview The Transparent LAN Service over Cable feature enables service providers to provide Layer 2 tunnels over an Ethernet network, using IEEE 802.1Q standard tags. This allows customers to create their own virtual network using any number of cable modems in different sites.

Cisco Converged Broadband Routers Software Configuration Guide For DOCSIS 4 Transparent LAN Service over Cable Benefits

On the Cisco CMTS, you map each cable modem (on the basis of its MAC address) to the appropriate VLAN. The CMTS then creates an internal database of this one-to-one mapping of cable modems to VLANs, and uses it to encapsulate packets for the appropriate VLAN. The CMTS encapsulates the CPE traffic from mapped cable modems using VLAN tags, as defined in IEEE 802.1Q-1993, IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks . The switch acting as the Layer 2 Bridge Aggregator uses the VLAN tagging to forward the packets to the appropriate destination. Traffic to and from this group of cable modems is bridged into a single logical network by the bridge aggregator, creating a secure Virtual Private Network (VPN) for that particular group of cable modems. Traffic in one VLAN cannot be sent into another VLAN, unless specifically done so by an external router.

Details of IEEE 802.1Q Mapping To implement the Transparent LAN Service over Cable feature using IEEE 802.1Q VLANs, a service provider must perform the following configuration steps: 1 Identify the cable modems and their MAC addresses that should be mapped to the IEEE 802.1Q VLANs. 2 Create the required VLANs on the router that is acting as the bridge aggregator. 3 Enable Layer 2 mapping on the Cisco CMTS, and then map each cable modem on that Cisco CMTS to the appropriate VLAN. After the Transparent LAN Service over Cable feature has been enabled and configured to use IEEE 802.1Q mappings, the Cisco CMTS immediately begins mapping traffic between the associated cable modems and VLANs. For efficient mapping, the Cisco CMTS maintains an internal database that links each cable modem’s primary service flow ID (SFID) and service ID (SID) to the appropriate VLAN and Ethernet interface. This ensures that all service flows from the cable modem are routed properly. When the Cisco CMTS receives a packet on an upstream, it looks up its SID to see if it is mapped to a VLAN. If so, and if the packet’s source MAC address is not the cable modem’s MAC address, the Cisco CMTS inserts the appropriate IEEE 802.1Q VLAN tag into the packet’s header and forwards the packet to the appropriate Ethernet interface. If the packet is not being mapped, or if the packet originated from the cable modem, the Cisco CMTS routes the packet using the normal Layer 3 processes. When the Cisco CMTS receives a packet from a WAN interface that is encapsulated with an IEEE 802.1Q VLAN tag, it looks up the packet’s SID to see if it belongs to a cable modem being mapped. If so, the Cisco CMTS strips off the VLAN tag, adds the proper DOCSIS header, and transmits the packet on the appropriate downstream interface. If the packet is not being mapped, the Cisco CMTS continues with the normal Layer 3 processing.

Benefits The Transparent LAN Service over Cable feature provides the following benefits to cable service providers and their partners and customers: • Provides Layer 2 level mapping, which is transparent to Layer 3 protocols and services. This means that service providers do not need to know the details of their customers’ network topologies, routing protocols, or IP addressing. • Allows service providers to maximize the use of their existing Ethernet WAN networks. Multiple customers can be combined on the same outgoing interface, while still ensuring that each customer’s network is kept private while it is transmitted over the tunnel.

Cisco Converged Broadband Routers Software Configuration Guide For DOCSIS 5 Transparent LAN Service over Cable How to Configure the Transparent LAN Service over Cable

• Provides a highly flexible and scalable solution for multiple customers. The service provider needs to create only one bridge group for each VPN, and then only one VLAN mapping for each cable modem should participate in that VPN tunnel. • Customers retain full control over their private networks, while service providers retain full control over cable modems and the rest of the cable and WAN networks. Only the CPE traffic from the cable modems is mapped into the L2VPN tunnel, while traffic originating at the cable modem continues to be processed as normal by the service provider's network. • Allows service providers to mix tunneled and non-tunneled cable modems on the same DOCSIS cable network. • Allows customers to create a single, secure virtual network with Ethernet Layer 2 connectivity for multiple sites. • Allows multiple tunnels from different customers and endpoints to be aggregated into a single bridge, so as to maximize the use of bandwidth and other network resources. • Supports the tunneling of multiple Layer 3, non-IP protocols, and not just IP Layer 3 services, as is the case with Layer 3 solutions, such as Multiprotocol Label Switching (MPLS) VPNs. • All DOCSIS services, including BPI+ encryption and authentication, continue to be supported for all cable modems.

How to Configure the Transparent LAN Service over Cable This section contains the following:

Configuring IEEE 802.1Q VLAN Mapping This section describes how to enable Layer 2 mapping on the Cisco CMTS, and then to map particular cable modems to an IEEE 802.1Q VLAN.

Enabling and Configuring Layer 2 Tunneling for IEEE 802.1Q Mapping This section describes how to enable Layer 2 mapping on the Cisco CMTS, and then to map particular cable modems to IEEE 802.1Q VLANs on a Ten Gigabit Ethernet interface.

Procedure

Command or Action Purpose Step 1 enable Enables privileged EXEC mode. Enter your password if prompted. Example:

Router> enable

Cisco Converged Broadband Routers Software Configuration Guide For DOCSIS 6 Transparent LAN Service over Cable Configuring IEEE 802.1Q VLAN Mapping

Command or Action Purpose Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal Step 3 cable l2-vpn-service xconnect nsi dot1q Enables Layer 2 tunneling for IEEE 802.1Q VLAN mapping. Example: Note It is not required to configure VLAN trunking Router(config)# cable on the Cisco CMTS. Though VLAN trunking l2-vpn-service xconnect nsi dot1q is supported, be aware of additional impact of VLAN trunking on the Cisco CMTS. Step 4 cable dot1q-vc-map mac-address Maps the specified MAC address of a cable modem ethernet-interface vlan-id [cust-name ] to the indicated VLAN and Ten Gigabit Ethernet interface. Example: Note Repeat this command for each cable modem Router(config)# cable dot1q-vc-map that is to be mapped to an IEEE 802.1Q 0000.0C04.0506 VLAN. TenGigabitEthernet4/1/0 10 Step 5 end Exits global configuration mode and returns to privileged EXEC mode. Example:

Router(config)# end

Creating the IEEE 802.1Q VLAN Bridge Group This section describes the minimum configuration needed to configure a Cisco router, which is acting as an IEEE 802.1Q VLAN bridge aggregator, so that it can terminate the VLANs being used with the Transparent LAN Service over Cable feature.

Procedure

Command or Action Purpose Step 1 enable Enables privileged EXEC mode. Enter your password if prompted. Example:

Router> enable Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Cisco Converged Broadband Routers Software Configuration Guide For DOCSIS 7 Transparent LAN Service over Cable Configuration Examples for Transparent LAN Service over Cable

Command or Action Purpose

Example: Step 3 interface TenGigabitEthernet Enters interface configuration mode for the Ten slot/subslot/port Gigabit Ethernet interface.

Example:

Router(config)# interface TenGigabitEthernet4/1/0 Step 4 ip address ip-address mask Configures the interface with the specified IP address and subnet mask. Example:

Router(config-if)# ip address 10.10.10.85 255.255.255.0 Step 5 exit Exits interface configuration and returns to global configuration mode. Example:

Router(config-if)# exit Step 6 interface TenGigabitEthernet Creates a subinterface on the Ten Gigabit Ethernet slot/subslot/port.y interface. Note To simplify network management, set the Example: subinterface number to the same value as the Router(config)# interface VLAN ID that will use this subinterface TenGigabitEthernet4/1/0.10 (which in this case is 10). Note The steps to create a subinterface is not essential for dot1q tagging of frames, but it is recommended. Step 7 bridge group number Configures this subinterface to belong to the specified bridge group. Example: Note Repeat steps Step 5 through Step 7 for each Router(config-if)# bridge group 20 subinterface to be created and bridged.

Step 8 end Exits interface configuration mode and returns to privileged EXEC mode. Example:

Router(config-if)# end

Configuration Examples for Transparent LAN Service over Cable This section lists sample configurations for the Transparent LAN Service over Cable feature on a CMTS router and on a Cisco router acting as a bridge aggregator:

Cisco Converged Broadband Routers Software Configuration Guide For DOCSIS 8 Transparent LAN Service over Cable Example: Configuring IEEE 802.1Q VLAN Mapping

Example: Configuring IEEE 802.1Q VLAN Mapping The following partial configuration shows a typical configuration that shows a number of cable modems being mapped to two different IEEE 802.1Q VLANs.

cable l2-vpn-service xconnect nsi dot1q ! Customer 1 cable dot1q-vc-map 000C.0e03.69f9 TenGigabitEthernet 4/1/0 10 Customer1 cable dot1q-vc-map 0010.7bea.9c95 TenGigabitEthernet 4/1/0 11 Customer1 cable dot1q-vc-map 0010.7bed.81c2 TenGigabitEthernet 4/1/0 12 Customer1 cable dot1q-vc-map 0010.7bed.9b1a TenGigabitEthernet 4/1/0 13 Customer1 ! Customer 2 cable dot1q-vc-map 0002.fdfa.137d TenGigabitEthernet 4/1/0 20 Customer2 cable dot1q-vc-map 0006.28f9.9d19 TenGigabitEthernet 4/1/0 21 Customer2 cable dot1q-vc-map 000C.7b6b.58c1 TenGigabitEthernet 4/1/0 22 Customer2 cable dot1q-vc-map 000C.7bed.9dbb TenGigabitEthernet 4/1/0 23 Customer2 cable dot1q-vc-map 000C.7b43.aa7f TenGigabitEthernet 4/1/0 24 Customer2 cable dot1q-vc-map 0050.7302.3d83 TenGigabitEthernet 4/1/0 25 Customer2 ...

Example: Configuring IEEE 802.1Q Bridge Aggregator The following example shows a router being used as a bridge aggregator to transmit VLANs across the same Ten Gigabit Ethernet interface, using IEEE 802.1Q tagging.

! interface TenGigabitEthernet4/1/0 ip address 10.10.10.31 255.255.255.0 duplex full speed auto ! interface TenGigabitEthernet4/1/0.10 description Customer1-site10 encapsulation dot1Q 10 bridge-group 200 interface TenGigabitEthernet4/1/0.11 description Customer1-site11 encapsulation dot1Q 11 bridge-group 200 interface TenGigabitEthernet4/1/0.12 description Customer1-site12 encapsulation dot1Q 12 bridge-group 200 interface TenGigabitEthernet4/1/0.13 description Customer1-site13 encapsulation dot1Q 13 bridge-group 200 !------interface TenGigabitEthernet4/1/0.20 description Customer2-site20 encapsulation dot1Q 20 bridge-group 201 interface TenGigabitEthernet4/1/0.21 description Customer2-site21 encapsulation dot1Q 21 bridge-group 201 interface TenGigabitEthernet4/1/0.22 description Customer2-site22 encapsulation dot1Q 22 bridge-group 201 interface TenGigabitEthernet4/1/0.23 description Customer2-site23 encapsulation dot1Q 23 bridge-group 201 interface TenGigabitEthernet4/1/0.24

Cisco Converged Broadband Routers Software Configuration Guide For DOCSIS 9 Transparent LAN Service over Cable Verifying the Transparent LAN Service over Cable Configuration

description Customer2-site24 encapsulation dot1Q 24 bridge-group 201 interface TenGigabitEthernet4/1/0.25 description Customer2-site25 encapsulation dot1Q 25 bridge-group 201 ! bridge 200 protocol ieee bridge 201 protocol ieee ...

Verifying the Transparent LAN Service over Cable Configuration

• show cable l2-vpn xconnect dot1q-vc-map —Displays the mapping information of the cable modems to IEEE 802.1Q VLANs. Following is a sample output of the command: Router# show cable l2-vpn xconnect dot1q-vc-map

MAC Address Ethernet Interface VLAN ID Cable Intf SID Customer Name/VPNID 38c8.5cac.4a62 TenGigabitEthernet4/1/2 56 Cable3/0/0 4 Customer2 38c8.5cfe.f6fa TenGigabitEthernet4/1/2 34 Cable3/0/0 3 Customer1 602a.d083.2e1c TenGigabitEthernet4/1/4 43 Cable3/0/0 5 Customer3

• show cable l2-vpn xconnect dot1q-vc-map customer name—Displays the mapping information of the cable modems to IEEE 802.1Q VLANs for the specified customer name. Following is a sample output of the command. Router# show cable l2-vpn xconnect dot1q-vc-map customer Customer1

MAC Address Ethernet Interface VLAN ID Cable Intf SID Customer Name/VPNID 38c8.5cfe.f6fa TenGigabitEthernet4/1/2 34 Cable3/0/0 3 Customer1

• show cable l2-vpn xconnect dot1q-vc-map mac-address—Displays the mapping information of the cable modems to IEEE 802.1Q VLANs for the specified MAC address. Following is a sample output of the command: Router# show cable l2-vpn xconnect dot1q-vc-map 38c8.5cac.4a62

MAC Address Ethernet Interface VLAN ID Cable Intf SID Customer Name/VPNID 38c8.5cac.4a62 TenGigabitEthernet4/1/2 56 Cable3/0/0 4 Customer2

• show cable l2-vpn xconnect dot1q-vc-map mac-address verbose—Displays additional information about the Layer 2 mapping, including the number of packets and bytes received on the upstream and downstream. Following is a sample output of the command: Router# show cable l2-vpn xconnect dot1q-vc-map 38c8.5cac.4a62 verbose

MAC Address : 38c8.5cac.4a62 Customer Name : Customer2 Prim Sid : 4 Cable Interface : Cable3/0/0 Ethernet Interface : TenGigabitEthernet4/1/2 DOT1Q VLAN ID : 56 Total US pkts : 1 Total US bytes : 342 Total DS pkts : 4

Cisco Converged Broadband Routers Software Configuration Guide For DOCSIS 10 Transparent LAN Service over Cable Additional References

Total DS bytes : 512

Additional References